Zelium AI is designed for Shopify merchants and primarily processes merchant store and product data. The app is not designed to collect or store customers' payment details, checkout data, or customer account records from a merchant's Shopify store.
If a merchant enables Zelium AI's public feed or llms.txt features, certain product and store information becomes publicly accessible by design.
Contents
1. Who We Are
Zelium AI is operated by PHI VENTURES LLP, trading as Zelium AI ("Zelium AI", "we", "us", or "our").
Registered office: I-103, 24K-Stargaze, Bavdhan, Pune-411021, MH, India.
General contact: team@zelium.app.
For most merchant account and store data described in this policy, Zelium AI acts as an independent controller or equivalent business operator responsible for deciding how that data is used to provide the service. Where we process merchant instructions to change store content, we may also act as a processor or service provider for those limited activities.
2. Scope
This Privacy Policy covers:
- The Zelium AI Shopify embedded app and related admin features.
- Shopify app installation, authentication, billing, and webhook flows.
- Public feed, app proxy, and llms.txt endpoints operated by Zelium AI.
- Support, service emails, and this public website.
It does not cover:
- Shopify's own handling of data under Shopify's policies.
- Third-party websites or services not controlled by us.
- A merchant's own use of data in their store, theme, or checkout.
3. What We Collect
| Category | Examples | Why it matters |
|---|---|---|
| Merchant and store account data | Shopify shop domain, Shopify shop ID, store name, merchant email, installed plan, currency, onboarding preferences, app status, and Shopify-generated authentication/session context. | Needed to authenticate the merchant, create the store record, manage billing state, send service messages, and apply the correct plan limits. |
| Store and product content | Product titles, descriptions, handles, vendors, product types, tags, images and alt text, variant details, SKU, barcode/GTIN, MPN, metafield-derived attributes, content pages, blog or online store content, and theme/storefront information needed to analyze discoverability or generate structured output. | Used to score discoverability, generate recommendations, create AI summaries, build schema output, and publish merchant-authorized feed content. |
| Generated app data | Scores, grades, snapshots, suggestions, fix previews, fix history, AI summaries, feed metadata, crawler analytics, usage counters, and webhook processing records. | Required to show dashboards, preserve undo/review flows, enforce plan limits, and operate scheduled scans or feed generation. |
| Technical and security data | IP address, user-agent, request metadata, timestamps, error logs, webhook payload metadata, and diagnostic traces. If Sentry or similar monitoring is enabled in production, request IP and technical context may be attached to security and error events. | Used for security, fraud prevention, debugging, uptime monitoring, and rate-limit or abuse analysis. |
| Public crawler access data | When an AI crawler or other client requests a public feed or llms.txt, we may log the request path, crawler name (if detectable), user-agent, IP address, status code, and time. | Used to show merchants feed access analytics, diagnose abuse, and understand whether AI agents are reaching the merchant-authorized public feed. |
| Support and communications data | Support emails, store contact details, notification preferences, and service communications you send to us. | Used to respond to support requests, operational notifications, and account-related communications. |
Data we do not intentionally collect as part of the core service
- Customer payment card data or other payment instrument data.
- Shopper checkout or order records from a merchant's Shopify store.
- Customer address books, customer profiles, or customer marketing lists.
- Sensitive personal data unless you deliberately send it to us outside the intended use of the service.
Storefront password-protected pages
If a merchant asks Zelium AI to analyze a password-protected storefront, the service may use temporary technical session cookies or equivalent access tokens server-side solely to fetch the page the merchant asked us to review. These temporary credentials are not used for customer tracking or advertising.
4. How We Use Data
We use information we collect to:
- Install, authenticate, and operate the app for a Shopify merchant.
- Sync product and store data from Shopify.
- Analyze discoverability, content quality, structured data, and identifiers.
- Create dashboards, benchmarks, historical score views, and recommendations.
- Generate AI-assisted summaries, fix suggestions, and related output.
- Write approved or merchant-enabled changes back to Shopify where the feature requires it.
- Generate and host merchant-authorized public feeds and llms.txt files.
- Process subscriptions, plan enforcement, and billing-related events through Shopify.
- Send service emails, support responses, and essential app communications.
- Monitor service health, detect abuse, and investigate errors or incidents.
- Meet legal, regulatory, tax, audit, and Shopify platform obligations.
We do not sell merchant personal data. We do not use merchant data received through Shopify to train generalized AI models without a lawful basis and, where required, the merchant's authorization.
5. Legal Bases
Where laws such as the GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases:
- Performance of a contract: to provide Zelium AI and related support.
- Legitimate interests: to secure, improve, monitor, and administer the service.
- Legal obligation: to comply with tax, accounting, regulatory, audit, and lawful disclosure duties.
- Consent: where you specifically opt into optional communications or other consent-based processing.
If Indian privacy law applies, including the Digital Personal Data Protection Act, 2023 and applicable rules, we will process personal data only for lawful purposes, with notice and consent where required, and make a grievance channel available.
6. Public Feed and Public Features
Zelium AI can generate a merchant-authorized public product feed and related discovery files. If enabled, these outputs may be accessible through URLs such as feed.zelium.app and/or on the merchant's own domain via Shopify App Proxy.
Public feed content may include:
- Store name and store domain.
- Public product titles, descriptions, images, prices, and variant availability.
- Identifiers such as SKU, GTIN, and MPN where present in merchant data.
- AI-generated summaries and structured data output.
- Feed metadata such as generation time, page count, and update frequency.
Zelium AI's feed generation logic strips common personal data fields such as email, phone, address, customer name, and IP address from feed output. However, merchants remain responsible for ensuring they do not store personal data inside product descriptions, metafields, or other store content they choose to publish.
Once a public feed is enabled, content may be cached, indexed, copied, or processed by search engines, AI crawlers, browsers, CDNs, or other third parties outside our control.
7. How We Share Data
We may share data with the following categories of recipients:
| Recipient | Purpose | Typical data involved |
|---|---|---|
| Shopify | App installation, authentication, billing, webhooks, and store data sync. | Shop/store identifiers, OAuth or token exchange context, billing state, and store content made available through Shopify APIs. |
| Microsoft Azure and related infrastructure services (India region) | Hosting, database, public feed storage, email delivery, and operational infrastructure. | Merchant/store data, generated app data, feed files, support email routing, and system logs. |
| OpenAI or equivalent AI provider engaged by Zelium AI (processing region as disclosed by the provider) | AI-assisted scoring, summary generation, or drafting assistance. | Relevant product, page, or content fields necessary to generate the requested output. |
| Sentry or equivalent monitoring provider (EU region) | Error monitoring, performance diagnostics, and incident investigation. | Technical logs, request metadata, stack traces, and potentially IP or user context where monitoring is enabled. |
| Professional advisers and authorities | Legal compliance, dispute handling, audits, accounting, tax, or law enforcement requests. | Only the data reasonably necessary for the relevant purpose. |
| Corporate transaction counterparties | Merger, acquisition, restructuring, financing, or sale of business assets. | Relevant business records subject to confidentiality and applicable law. |
We require service providers acting on our behalf to use data only for the contracted service and to protect it appropriately.
8. International Transfers
Zelium AI may process data in countries other than the merchant's country, including where our hosting providers, AI providers, email providers, or support systems operate. Where required by law, we use appropriate safeguards for cross-border transfers, such as contractual protections, corporate safeguards, or other lawful transfer mechanisms.
9. Retention
We retain data for no longer than reasonably necessary for the purposes described above, subject to legal and operational requirements.
- Active merchant account data: generally retained while the app remains installed and active.
- Post-uninstall recovery window: Zelium AI currently keeps recently uninstalled store data for a short restoration window, generally up to seven (7) days, to support accidental uninstall/reinstall recovery.
- Historical analytics: score history and similar analytics may be retained under plan-based windows, currently ranging from limited short windows to longer enterprise windows.
- Suggestion and action history: some recommendation and action records are retained for limited operational periods, including limited undo or audit windows.
- Security and access logs: retained for limited periods needed for abuse detection, diagnostics, and audit trails.
- Billing, tax, and legal records: may be retained longer where required by law, accounting standards, or dispute preservation needs.
If a merchant requires deletion, they can uninstall the app and contact us. Where applicable, Shopify may also send mandatory privacy compliance webhooks requiring access, redaction, or deletion handling.
10. Security
We use commercially reasonable measures to protect data, including measures such as:
- TLS/HTTPS in transit.
- Access controls and least-privilege access to operational systems.
- Reasonable monitoring, logging, and incident response processes.
- Provider-side security controls for cloud hosting, storage, and email delivery.
No security program can guarantee absolute security. Merchants are responsible for protecting their Shopify admin credentials and keeping their store environment secure.
11. Breach Notification
In the event of a personal data breach that we determine poses a risk to the rights and freedoms of affected individuals, we will:
- Notify the relevant data protection authority without undue delay and, where required by GDPR, within 72 hours of becoming aware of the breach.
- Notify affected merchants without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- Document the breach, its effects, and the remedial actions taken, in accordance with applicable law.
If Indian privacy law applies, we will notify the Data Protection Board of India and affected data principals as required under the Digital Personal Data Protection Act, 2023 and applicable rules.
12. Cookies and Tracking Technologies
The Zelium AI Shopify embedded app does not set independent cookies on the merchant's browser. Authentication and session context are handled entirely through Shopify App Bridge.
Our public website (zelium.app) may use essential cookies or similar technologies to support basic site functionality. We do not use cookies for behavioural advertising or cross-site tracking.
If we introduce analytics or non-essential cookies in the future, we will update this section and, where required by law, obtain consent before setting those cookies.
13. Your Rights
Depending on where you are located and which laws apply, you may have rights to:
- Request access to personal data we hold about you.
- Request correction or updating of inaccurate data.
- Request deletion or erasure of personal data.
- Object to or restrict certain processing.
- Request portability of certain data.
- Withdraw consent where processing depends on consent.
- Lodge a complaint with a regulator or data protection authority.
EEA, UK, and similar jurisdictions
If GDPR, UK GDPR, or similar laws apply, you may have rights of access, rectification, erasure, restriction, objection, portability, and complaint to a supervisory authority.
California and similar U.S. state privacy laws
Zelium AI does not sell personal information and does not share personal information for cross-context behavioral advertising as part of the core service. If applicable law grants additional rights, contact us and we will handle the request in accordance with law.
We will not discriminate against you for exercising your privacy rights, including by denying service, charging different prices, or providing a different level of quality.
India
If Indian privacy law applies, you may contact our grievance channel to request a summary of personal data processing, correction, updating, or erasure, subject to lawful limitations.
14. Shopify Privacy Requests
Shopify requires public apps to respond to privacy compliance workflows, including customer data access requests, customer redaction requests, and shop redaction requests. Zelium AI maintains the required webhook endpoints and operational processes for those requests.
Because Zelium AI is not designed to collect customer checkout or customer account data from a merchant's Shopify store, customer-specific requests will typically be handled by confirming that no customer personal data is stored in Zelium AI's core systems.
15. Children
Zelium AI is intended for business users operating Shopify stores. It is not directed to children, and we do not knowingly collect personal data directly from children.
16. Changes
We may update this Privacy Policy from time to time to reflect changes in the law, the service, our providers, or our processing practices. We will post the updated version on this page and revise the "Last updated" date. Material changes may also be notified in-app or by email where appropriate.
17. Contact
- Operator: PHI VENTURES LLP, trading as Zelium AI
- Registered office: I-103, 24K-Stargaze, Bavdhan, Pune-411021, MH, India
- General support: team@zelium.app
- India grievance contact: Grievance Officer, team@zelium.app
- Website: https://zelium.app
If you require a data processing addendum, a regulator-facing privacy explanation, or enterprise vendor/security documentation, contact us at the email above.